MS Windows Event Logging XML - Application

Device Details

Device Name	MS Windows Event Logging XML - Application
Vendor	Microsoft
Device Type	N/A
Supported Model Name/Number	N/A
Supported Software Version(s)	N/A
Collection Method	MS Windows Event Logging
Configurable Log Output?	No
Log Source Type	N/A
Log Processing Policy	LogRhythm Default
Exceptions	N/A
Additional Information	https://docs.microsoft.com/en-us/windows/win32/msi/event-logging

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)

Type	Product Version	Supported Schema Fields
Catch All : Application Messages	N/A	<vmid>, <vendorinfo>, <severity>, <dname>, <object>
Catch All : Crypto API Messages	N/A	<vendorinfo>, <vmid>, <severity>, <dname>, <processid>, <session>,<object>, <hash>
Catch All : ESENT Messages	N/A	<vendorinfo>, <vmid>, <severity>, <dname>,<process>,<processid>
Catch All : Level 2 2	N/A	<vendorinfo>, <vmid>, <severity>, <dname>, <domainorigin>, <login>, <process>,<processid>, <session>
Catch All : Level 3	N/A	<process>, <vendorinfo>, <vmid>, <severity>, <processid>, <session>, <dname>, <domain>, <login>, <object>, <sip>
Catch All : MsiInstaller Messages	N/A	<vmid>, <vendorinfo>, <severity>, <dname>, <session>, <processid>
Catch All : MSSQLSERVER Messages	N/A	<vmid>, <vendorinfo>, <severity>, <sip>, <sname>, <dname>, <login>, <domainorigin>, <command>, <action>, <reason>, <tag1>, <tag2>
Catch All : Outlook Messages	N/A	<vmid>, <vendorinfo>, <severity>, <dname>, <object>
Catch All : Service Optimization	N/A	<vendorinfo>, <vmid>, <severity>, <dname>, <domainorigin>, <login>, <session>, <process>, <processid>, <status>
Catch All : SQLVDI Messages	N/A	<vmid>, <vendorinfo>, <severity>, <dname>
Catch All : SQLWRITER Messages	N/A	<vmid>, <vendorinfo>, <severity>, <dname>
Catch All - Symantec AntiVirus	N/A	<vendorinfo>, <vmid>, <severity>, <dname>, <domainorigin>, <login>, <object>, <objectname>, <objecttype>, <command>, <parentprocesspath>
Catch All : System Restore Messages	N/A	<vmid>, <vendorinfo>, <severity>, <dname>, <session>, <processid>, <command>, <action>
Catch All : Trend Micro OfficeScan Server	N/A	<vendorinfo>, <vmid>, <severity>, <dname>, <login>, <domainorigin>,<session>, <process>, <processid>, <subject>
Catch All : VSS Messages	N/A	<vendorinfo>, <vmid>, <severity>, <dname>
Catch All : Windows Error Reporting Messages	N/A	<vendorinfo>, <vmid>, <severity>, <dname>, <subject>, <object>
Catch All : WSUS Messages	N/A	<vmid>, <vendorinfo>, <severity>, <dname>
Certificate Services Client : Cert Enrollment	N/A	<vendorinfo>, <vmid>, <severity>, <processid>, <session>, <dname>, <domain>, <login>, <group>, <object>
EVID 1 : CVE Messages	N/A	<vmid>, <severity>, <dname>, <account>, <processid>, <object>, <cve>, <tag1>
EVID 3 : System Service Model Exception	N/A	<vendorinfo>, <vmid>, <severity>, <dname>, <domainorigin>, <login>, <process>,<processid>,<subject>, <object>
EVID 1000 : Application Fault	N/A	<vendorinfo>, <vmid>, <severity>, <dname>,<process>,<version>,<object>
EVID 1002 : Application Hang	N/A	<vendorinfo>, <vmid>, <severity>, <dname>,<process>,<version>,<object>
EVID 1008 : Microsoft-Windows-Perflib	N/A	<vendorinfo>, <vmid>, <severity>, <dname>, <processid>, <version>,<object>, <objectname>, <threatid>, <bytesin>
EVID 1026 : Net Process Terminated Unhandled Excp	N/A	<vendorinfo>, <vmid>, <severity>, <dname>,<process>,<version>
EVID 1040 & 1042 : MsiInstaller	N/A	<vendorinfo>, <vmid>, <severity>, <dname>, <domain>, <login>, <object>, <process>, <processid>
EVID 1309 : ASP.NET Request Aborted	N/A	<vendorinfo>, <vmid>, <severity>, <dname>, <domainorigin>, <login>, <process>, <processid>, <object>, <tag1>
EVID 1530 : Registry Key Still In Use	N/A	<vendorinfo>, <vmid>, <severity>, <processid>, <session>, <dname>, <domain>, <login>, <quantity>, <process>, <object>
EVID 2004 : Microsoft-Windows-PerfNet	N/A	<vendorinfo>, <vmid>, <severity>, <dname>, <processid>, <version>,<threatid>
EVID 4609 : COM+ Event System Bad Return Code	N/A	<vendorinfo>, <vmid>, <severity>, <processid>, <session>, <dname>, <object>, <objectname>, <subject>
EVID 5605 : Microsoft-Windows-WMI	N/A	<vendorinfo>, <vmid>, <severity>, <dname>, <login>, <domainorigin>,<processid>, <version>
EVID 33205 : SQL Audit Event	N/A	<vendorinfo>, <vmid>, <severity>, <sname>, <quantity>, <tag1>, <result>,<sessiontype>, <session>, <tag2>, <login>, <tag3>, <account>, <dname>,<object>, <group>, <objectname>
LogRhythm Diagnostics	N/A	<vmid>, <sip>, <sport>, <dname>, <object>, <objectname>, <rate>, <tag1>,<tag2>, <tag3>
LogRhythm KB Admin Service	N/A	<vendorinfo>, <vmid>, <severity>, <dname>,<object>, <objectname>
MailMarshal Messages	N/A	<vendorinfo>, <vmid>, <severity>, <sname>, <dname>, <session>, <object>,<subject>, <version>
MsiInstaller : Installer Close Messages	N/A	<vendorinfo>, <vmid>, <severity>, <dname>, <domain>, <login>, <process>, <subject>, <object>
MsiInstaller Messages 1	N/A	<vendorinfo>, <vmid>, <severity>, <dname>, <domain>, <login>, <process>, <version>
MS Windows Log Messages	N/A	<vendorinfo>, <vmid>, <severity>, <dname>, <session>, <process>, <processid>, <object>, <objectname>, <subject>, <version>, <useragent>

Revision History

KB Version	Log Type	Change Type	Details
KB 7.1.598.0	N/A	Parsing Improvement and Documentation	N/A